Fortinet VPN with Default Settings Leave 200,000 Businesses Open
Now according to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution—with default configuration—to enable employees to connect remotely are vulnerable to man-in-the-middle (MitM) attacks, allowing attackers to present a valid SSL certificate and fraudulently take over a connection. The problem, according to the researchers, lies in the use of default self-signed SSL certificates by companies. Given that every Fortigate router comes with a default SSL certificate that is signed by Fortinet, that very certificate can be spoofed by a third-party as long as it's valid and issued either by Fortinet or any other trusted CA, thus allowing the attacker to re-route traffic to a server their control and decrypt the contents.
Twitter warns of possible API keys leak
Twitter is notifying developers today about a possible security incident that may have impacted their accounts. The incident was caused by incorrect instructions that the developer.twitter.com website sent to users' browsers. The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Twitter account. In an email sent to developers today, Twitter said that its developer.twitter.com website told browsers to create and store copies of the API keys, account access token, and account secret inside their cache. This might not be a problem for developers using their own browsers, but Twitter is warning developers who may have used public or shared computers to access the developer.twitter.com website — in which case, their API keys are now most likely stored in those browsers. Twitter said it fixed the issue by changing what content gets cached when users access the developer.twitter.com portal. The social network also said it has no indication that any API keys have leaked this way, as an attacker must have (1) known about the bug, and (2) had access to a developer's browser to extract the keys and tokens.
You can bypass TikTok's MFA by logging in via a browser
The popular video app TikTok rolled out SMS and email-based multi-factor authentication (MFA) during August 2020 for its users. A month later, it has been found that this feature is only enabled for the mobile app, not its website. This delay in the feature’s implementation means that a malicious threat actor could bypass TikTok’s MFA logging into an account with compromised credential via its website, rather than the mobile app. In addition, it has been reported that the app does not show sessions taking place in real-time, nor does it warn users when someone uses their credentials to access their account via browser. While this is technically an “MFA bypass”, the options in the TikTok web dashboard are very limited. Even if an attacker manages bypass this MFA, they would not be able to change the user’s password via the web dashboard, however they could still deface the user’s account or promote scams. The company has stated that they plan to expand MFA to cover its official website in the coming future.
Joker Playing Hide-and-Seek with Google Play
According to researchers from information security company Zscaler, the Joker, a spyware that continually targets Android devices, has found its way into Google’s official application market again. The malware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services. Although researchers describe several tactics the Joker author uses to bypass the vetting process, the most common one is using “droppers”, where the victim’s device is infected in a multistage process. Because the malicious actions are usually delayed by hours or days, the security scans do not pick up on the malicious code. Following Zscaler report, 17 malicious apps infected with the Joker were removed from the official Play Store, where they had been downloaded more than 120.000 times. Google described this malware as one of the most persistent and advanced threats it has dealt with in the past years.
FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations
Amnesty International uncovered a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of the infamous FinSpy surveillance spyware. The new versions employed in this campaign allow its operators to spy on both Linux and macOS systems. Finisher, aka FinFisher, is a multiplatform surveillance software used by government and law enforcement agencies for their investigations, but unfortunately, it made the headlines because it was also used by oppressive regimes to spy on dissidents, activists, and Journalists. Since 2011 it was employed in attacks aimed at Human Rights Defenders (HRDs) in many countries, including Bahrain, Ethiopia, UAE, and more. FinSpy can spy on most popular desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux. It allows to use the users’ devices as a spying tool, it can control both webcam and microphone, to spy on communications and exfiltrate data stored on the infected systems. The new versions of FinSpy spyware were used by a new unknown hacking group, Amnesty International speculates the involvement of a nation-state actor that employed them since September 2019. The researchers were investigating the activities of another hacking group, tracked as NilePhish, which was involved in the past in attacks aimed at Egyptian NGOs, when discovered the new spyware sample uploaded on VirusTotal.
Victims of ThunderX ransomware can recover their files for free
The cyber security firm Tesorion has released a free decryptor for the ThunderX rescue software that allows victims to recover their files. This decryptor can freely recover files encrypted by the current version of the ThunderX rescue software that adds the .tx_locked extension to the name of the decrypted files. To recover the files, victims have to upload a copy of the ransomware readme.txt and an encrypted file to receive a decryption key. The decryptor can be downloaded from the NoMoreRansom project website which has already helped victims of multiple rescues save over one hundred million rescues. When the decryption process is complete, the decryptor will display a summary of the files that have been successfully recovered and those where the recovery has failed.